Transactions such as payments, other financial operations, and ticketing may be implemented using a tamper-resistant hardware device. This device is commonly referred to as a secure element. The secure element may be used for contactless transactions at a point of sale (POS). Contactless payments may occur over a wireless near field communications (NFC) channel. An applet may execute on the secure element to provide functionality for such transactions. When the secure element is embedded within a mobile computing platform such as smartphone, a higher-level application may execute on the mobile computing device. The application can interface with the applet and the secure element. For example, the user interface to the applet and thus the secure element is generally provided by the application.
A transaction or payment applet generally requires a personal identification number (PIN) to authorize a transaction. A user may set this PIN when first configuring the payment mechanism associated with the secure element. While use of a PIN is a critical security mechanism, PINs are generally quite short. Furthermore, research suggests that users generally pick relatively predictable PINs or reuse PINs that they use for other functions. For example, a user may select the same PIN for secure element access as used for a screen unlock function on the mobile device. In a system where the screen unlock PIN or codeword is less secured and easy to recover, the application on the secure element would be rendered vulnerable to compromise. There is a need in the art for leveraging the operating environment and features of a mobile device to increase security of user PINs associated with secure elements embedded within such mobile devices.